Link to home
Start Free TrialLog in
Avatar of Victor Kimura
Victor KimuraFlag for Canada

asked on

open port 993, 995, 110, 143 for mail server

Hi,

I'm trying to open up the ports for the mail server ports: 993, 995, 110, 143.

When I use:

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
25                         ALLOW IN    Anywhere
587                        ALLOW IN    Anywhere
110                        ALLOW IN    Anywhere
995                        ALLOW IN    Anywhere
143                        ALLOW IN    Anywhere
993                        ALLOW IN    Anywhere
993/tcp                    ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
25 (v6)                    ALLOW IN    Anywhere (v6)
587 (v6)                   ALLOW IN    Anywhere (v6)
110 (v6)                   ALLOW IN    Anywhere (v6)
995 (v6)                   ALLOW IN    Anywhere (v6)
143 (v6)                   ALLOW IN    Anywhere (v6)
993 (v6)                   ALLOW IN    Anywhere (v6)
993/tcp (v6)               ALLOW IN    Anywhere (v6)

Open in new window


when I use nmap --open though I get this:

Not shown: 991 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
443/tcp   open  https
587/tcp   open  submission
783/tcp   open  spamassassin
3306/tcp  open  mysql
5432/tcp  open  postgresql
10024/tcp open  unknown

Open in new window


I tried this:
sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT

and also this:
sudo ufw allow 993

but the nmap is still the same. I tried testing with telnet and openssl s_client -connect but the ports are, obviously, closed. What am I missing?

Much thanks and Father God bless<><,
Victor
SOLUTION
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of David Roberts
David Roberts
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@spravtek, no, unfortunately, that didn't work.

@arnold, this is what I get:

forge@myultratrust/etc/ufw $ openssl s_client -connect 104.131.13.87:993
connect: Connection refused
connect:errno=111

Open in new window


When I look in /etc/ufw with ls -al:
total 44
drwxr-xr-x   3 root root 4096 Apr 25 13:14 .
drwxr-xr-x 109 root root 4096 Apr 25 02:35 ..
-rw-r-----   1 root root  915 Feb 28  2014 after6.rules
-rw-r-----   1 root root 1126 Apr 17  2014 after.init
-rw-r-----   1 root root 1004 Feb 28  2014 after.rules
drwxr-xr-x   2 root root 4096 Apr 24 01:31 applications.d
-rw-r-----   1 root root 3225 Feb 28  2014 before6.rules
-rw-r-----   1 root root 1130 Apr 17  2014 before.init
-rw-r-----   1 root root 2667 Feb 28  2014 before.rules
-rw-r--r--   1 root root 1941 Feb 28  2014 sysctl.conf
-rw-r--r--   1 root root  313 Feb 14 22:02 ufw.conf

Open in new window


But not sure what I should be changing. I read these update the iptables. I also read the order of the rules are important but not sure how I go about it. I'm using Ubuntu 14.04.1 - fyi.

forge@myultratrust/etc/ufw $ cat /etc/issue
Ubuntu 14.04.1 LTS \n \l
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@David359,

I get this: 

firewall-cmd --zone=public --add-port=993/tcp --permanent
The program 'firewall-cmd' is currently not installed. You can install it by typing:
sudo apt-get install firewalld

Open in new window


Wondering if I should install it? I think Ubuntu uses the UFW. Should I use that instead of the UFW command?
SOLUTION
Avatar of David Roberts
David Roberts
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image
On my Ubuntu machine, ports 110 and 143 are open on the machine IP address but Not on localhost.  I don't have the 'secure' ports enabled in the mail server.
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@David359, Ok thanks.

@Dave Baldwin, was that by default that the ports 110 and 143 were opened?

I ran the sudo iptables -L and got the following. It looks like the ports are opened but I can't telnet or nmap can't see it opened:

sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps

Chain FORWARD (policy DROP)
target     prot opt source               destination
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
target     prot opt source               destination

Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination

Chain ufw-after-output (1 references)
target     prot opt source               destination

Chain ufw-before-forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination

Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
target     prot opt source               destination

Chain ufw-reject-input (1 references)
target     prot opt source               destination

Chain ufw-reject-output (1 references)
target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-forward (1 references)
target     prot opt source               destination

Chain ufw-track-input (1 references)
target     prot opt source               destination

Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination

Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:25
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     udp  --  anywhere             anywhere             udp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
ACCEPT     udp  --  anywhere             anywhere             udp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
ACCEPT     udp  --  anywhere             anywhere             udp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
ACCEPT     udp  --  anywhere             anywhere             udp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (1 references)
target     prot opt source               destination

Open in new window

SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@arnold,

Ok. It seems that the connection is still refused on 127.0.0.1:

forge@myultratrust/var/log $ openssl s_client -connect 127.0.0.1:993
connect: Connection refused
connect:errno=111

Open in new window


I don't see a 192.168.x.x. in my ifconfig though:

 /sbin/ifconfig -a
eth0      Link encap:Ethernet  HWaddr 04:01:3f:67:2c:01
          inet addr:104.131.13.87  Bcast:104.131.63.255  Mask:255.255.192.0
          inet6 addr: fe80::601:3fff:fe67:2c01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1503521 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1380023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:890370056 (890.3 MB)  TX bytes:1320284280 (1.3 GB)

eth1      Link encap:Ethernet  HWaddr 04:01:3f:67:2c:02
          inet addr:10.132.97.202  Bcast:10.132.255.255  Mask:255.255.0.0
          inet6 addr: fe80::601:3fff:fe67:2c02/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:578 (578.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:434190 errors:0 dropped:0 overruns:0 frame:0
          TX packets:434190 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:376198994 (376.1 MB)  TX bytes:376198994 (376.1 MB)

Open in new window


What's the command for port forwarding to the internal IP and port? TY!
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@Dave Balwin, can you share what you have in your /etc/ufw files? They have all the settings for the firewall rules I think.
SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

@Dave Balwin, ok, thanks!

I have this 

sudo ufw app list
Available applications:
  Dovecot IMAP
  Dovecot POP3
  Dovecot Secure IMAP
  Dovecot Secure POP3
  Nginx Full
  Nginx HTTP
  Nginx HTTPS
  OpenSSH
  Postfix
  Postfix SMTPS
  Postfix Submission

Open in new window


But the Postfix SMPTS is using 25:

sudo ufw app info Postfix SMTPS
Profile: Postfix
Title: Mail server (SMTP)
Description: Postfix is a high-performance mail transport agent

Port:
  25/tcp

Open in new window


And when I try this:

sudo ufw app info Dovecot Secure IMAP
ERROR: Could not find profile 'Dovecot'

Open in new window


I have what you have /etc/ufw/applications.d in the dovecot-common file too. Not sure why sudo ufw app info cannot find the Dovecot profile.

I have this in my /etc/ufw/applications.d/postfix

forge@myultratrust/etc/ufw/applications.d $ sudo vim postfix
[Postfix]
title=Mail server (SMTP)
description=Postfix is a high-performance mail transport agent
ports=25/tcp

[Postfix SMTPS]
title=Mail server (SMTPS)
description=Postfix is a high-performance mail transport agent
ports=465/tcp

[Postfix Submission]
title=Mail server (Submission)
description=Postfix is a high-performance mail transport agent
ports=587/tcp
~

Open in new window


@arnold,
I'm not sure if the system is a router. I'm using Digital Ocean for my Cloud server. I think they are similar to Linode.

How do I check which rules to which interface they apply? Or I guess how would I change them to apply to the correct IP?
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

I tried disable the ufw and using telnet but the connection was still refused:


forge@myultratrust/etc/ufw/applications.d $ sudo ufw disable
Firewall stopped and disabled on system startup
forge@myultratrust/etc/ufw/applications.d $ telnet livingtrustdiy.com 993
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
forge@myultratrust/etc/ufw/applications.d $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
forge@myultratrust/etc/ufw/applications.d $ telnet livingtrustdiy.com 993
Trying 104.131.13.87...
telnet: Unable to connect to remote host: Connection refused
SOLUTION
Avatar of Dave Baldwin
Dave Baldwin
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Victor Kimura
Victor Kimura
Flag of Canada image

ASKER

I provided my answer but wanted to give points to those that helped as their answers made me search for the things that I needed to search for. :)